[arch-general] Clarification on pacman signature verification
Hi, This is regarding package verification performed by pacman. Does pacman download the .sig file of a package while installing one? All I could find are the local cached copies of packages only but not their signatures. If thats the case, how does pacman verify the integrity of the downloaded package? It could be that .sig file could have been downloaded into /tmp during installation or to another location that I'm not aware yet. This brings me to my next point. I've manually downloaded just the package file (of some random package) from a mirror and disconnected from the Internet. I used both 'pacman -U <pkg-name>' and 'pacman -S <pkg-name>' to install the package and the installation went just fine. I was expecting Pacman to emit an error stating that signature was missing but nothing happened. Could someone care to explain this. BTW, I have SigLevel = Required DatabaseOptional in my pacman.conf. - Solomon
On Mon, 25 Jan 2016 15:13:24 +0530 Solomon Lam <phrackmod@gmail.com> wrote:
Hi, This is regarding package verification performed by pacman.
Does pacman download the .sig file of a package while installing one? All I could find are the local cached copies of packages only but not their signatures. If thats the case, how does pacman verify the integrity of the downloaded package? It could be that .sig file could have been downloaded into /tmp during installation or to another location that I'm not aware yet. This brings me to my next point.
I've manually downloaded just the package file (of some random package) from a mirror and disconnected from the Internet. I used both 'pacman -U <pkg-name>' and 'pacman -S <pkg-name>' to install the package and the installation went just fine. I was expecting Pacman to emit an error stating that signature was missing but nothing happened. Could someone care to explain this. BTW, I have SigLevel = Required DatabaseOptional in my pacman.conf.
- Solomon
Signatures are kept in the databases.
On 01/25/2016 04:43 AM, Solomon Lam wrote:
Hi, This is regarding package verification performed by pacman.
Does pacman download the .sig file of a package while installing one? All I could find are the local cached copies of packages only but not their signatures. If thats the case, how does pacman verify the integrity of the downloaded package? It could be that .sig file could have been downloaded into /tmp during installation or to another location that I'm not aware yet. This brings me to my next point.
I've manually downloaded just the package file (of some random package) from a mirror and disconnected from the Internet. I used both 'pacman -U <pkg-name>' and 'pacman -S <pkg-name>' to install the package and the installation went just fine. I was expecting Pacman to emit an error stating that signature was missing but nothing happened. Could someone care to explain this. BTW, I have SigLevel = Required DatabaseOptional in my pacman.conf.
- Solomon
Packages from the Sync database have their signatures (if any) embedded in the db itself. If you really don't trust your own computer, set: LocalFileSigLevel = Required That will make installing AUR packages slightly awkward... Local files default to Optional, Remote files to Required, so if you use `pacman -U http://address.of/package.tar.xz` then it will download the package *and* signature for you, once there is a *.sig pacman will demand it be a valid one. -- Eli Schwartz
Thanks for the reply. I think I got my answer. I noticed that the 'desc' file of a package(inside the db) contains 'md5' and 'sha256' checksums as well. So, does pacman perform pgp verification or checksum verification during installation? On Mon, Jan 25, 2016 at 8:08 PM, Eli Schwartz <eschwartz93@gmail.com> wrote:
Hi, This is regarding package verification performed by pacman.
Does pacman download the .sig file of a package while installing one? All I could find are the local cached copies of packages only but not their signatures. If thats the case, how does pacman verify the integrity of
On 01/25/2016 04:43 AM, Solomon Lam wrote: the
downloaded package? It could be that .sig file could have been downloaded into /tmp during installation or to another location that I'm not aware yet. This brings me to my next point.
I've manually downloaded just the package file (of some random package) from a mirror and disconnected from the Internet. I used both 'pacman -U <pkg-name>' and 'pacman -S <pkg-name>' to install the package and the installation went just fine. I was expecting Pacman to emit an error stating that signature was missing but nothing happened. Could someone care to explain this. BTW, I have SigLevel = Required DatabaseOptional in my pacman.conf.
- Solomon
Packages from the Sync database have their signatures (if any) embedded in the db itself.
If you really don't trust your own computer, set: LocalFileSigLevel = Required
That will make installing AUR packages slightly awkward...
Local files default to Optional, Remote files to Required, so if you use `pacman -U http://address.of/package.tar.xz` then it will download the package *and* signature for you, once there is a *.sig pacman will demand it be a valid one.
-- Eli Schwartz
On 01/25/2016 01:35 PM, Solomon Lam wrote:
Thanks for the reply. I think I got my answer.
I noticed that the 'desc' file of a package(inside the db) contains 'md5' and 'sha256' checksums as well. So, does pacman perform pgp verification or checksum verification during installation?
It just uses the best verification available. Test it by running `pacman -Sw --debug somepackage` Any package in the main repos will have a signature -- it will only verify that. A custom repo for AUR packages (I keep one) will likely not be signed, and if not will be verified with sha256sum. md5sum is only there for old times' sake I think. I guess if you have a repo generated by really old versions of repo-add, it will only have an md5sum and verify that. -- Eli Schwartz
participants (3)
-
Doug Newgard
-
Eli Schwartz
-
Solomon Lam